I am Trung. I deep-dive into exceptional businesses. I follow up on their performance with my Thesis Tracker updates, and when the right price comes, I buy them for the Sleep Well Portfolio, which I am building for my daughters to redeem in 2037. I disclose my reasoning for all BUY and SELL (ideally never) transactions (1st, 2nd, 3rd, & more). Access all content here.

Build a Sleep Well Portfolio

Hi, SWIs.

This is part 2 of ‘A Sleep Well Investment In Network Security’—the 12th Sleep Well pick.

1. Executive Summary [Part 1]

2. Simplifying the Business and Cybersecurity Industry

3. Why is it a Sleep Well business? [Part 2]

   1. Purpose-built hardware and OS combo on a unified console

   2. Predictable, diversified, and enduring business model

   3. Favorable position to grow to adjacent areas

   4. Stable competitive advantages

   5. Founder led management

   6. Anti-fragile attributes

4. What can go wrong?

5. Fair price to own

6. Sleep Well Score

7. What to track

Sleep Well Ingredients

Essential and differentiated product that is a boon in a volatile environment

What I like most about Fortinet, and even more than CrowdStrike, is that its networking and security products are the first things a CISO would spend on when building and securing an enterprise IT system. In 2022, 50% of global shipments of network firewall appliances were Fortinet’s (IDC). Arguably, they are the most resilient areas. Average growth since the company's IPO in 2009 has never dipped below 18%.

These appliances and security services become even more critical when there are higher risks of threats infiltrating the organization, such as Generative AI, the rise of ransomware-as-a-service, or heightened geopolitical tensions. This is one of the anti-fragile qualities I look for in a sleep-well pick. If you are unfamiliar with this concept, anti-fragile is a term coined by Nassim Taleb explaining the ability of a business to thrive in adversity—a big factor in helping my portfolio sleep well 😴 .

What I also like about Fortinet’s products over other cybersecurity providers is that hardware and software solutions go hand in hand and are run on a custom-built operation system and chips, reinforcing the performance/cost/scalability value propositions. You can’t buy one without the other, elevating customer’s switching costs. Moreover, Fortinet custom-built technologies comprise 957 U.S. patents and 1,299 global patents. That’s three times more than Palo Alto’s at approximately 320 patents (US Patent Office). They are also recognized in 90+ enterprise analyst reports. You can’t easily replicate Fortinet’s offering, discouraging competition and copycats.

You could argue that Palo Alto would also fit the above criteria. However, there is a big difference in how the business was built.

Palo Alto offers a broader spectrum of cybersecurity solutions, from next-generation firewalls to advanced cloud security and AI-powered threat detection and response. They are mostly acquired applications and technologies, which means their platform isn’t a platform of unified hardware and software. My recent review of Crowd Strike’s FY2024 results reveals a harsh but mostly correct opinion of Palo Alto. The CEO of CrowdStrike said:

multi-platform hardware vendors evangelized their stitched together patchwork of point products, masquerading as thinly veiled piecemeal platforms. And what organizations inevitably realize is that vendor lock-in leads to deployment difficulties, skyrocketing cost and subpar cybersecurity. The outcome is shelfware and sunk costs.

ELA and bundling addiction become the only way to coax customers into purchasing nonintegrated point products. It's the organization trapped in these fragmented pseudo platforms riddled with bolt-on point products that are the ones suffering from fatigue.

Free is never free. Customers understand the difference between product pricing and the total lifetime cost of operating inferior technology.

So, Palo Alto’s platform is more like a non-integrated point product, making deployment difficult and costly.

Additionally, I am skeptical of Palo Alto’s recent aggressive M&A strategy, bringing 17 companies ($4B+) in the last five years to form its Cortex and Prisma Cloud businesses.

Gartner's (2023) report made a comment that also sticks in my mind.

Cybersecurity often gets stuck in a gear acquisition mindset, believing that around the corner there must be something better

Instead, CISOs must embrace a Minimum Effective Toolset – the fewest technologies required to observe, defend, and respond to exposures. This will enable cybersecurity to own their architecture, reducing the complexity and lack of interoperability that makes it difficult to generate value from technology investments.   

Integration is no easy task, especially when you bring in so many new companies. Ten of the 17 acquired companies have different data, technology stacks, billing systems, and cultures. While the majority of founders stayed, it will undoubtedly take years to integrate into the three core platforms: Network (Strata & Prisma SASE), Cloud (Prisma Cloud), and SecOps (Cortex). I am not convinced Palo Alto has the system/culture to integrate new technologies yet.

As a result, I prefer the Fortinet. It’s a simpler and more measured business that comprises mostly organic growth, which is less disruptive. See Palo Alto’s long list of recent acquisitions below:

• March 2017: LightCyber for approximately $100 million

• March 2018: Cloud Security company Evident.io for $300 million. This acquisition created the Prisma Cloud division.

• April 2018: Secdo

• October 2018: RedLock for $173 million

• February 2019: Demisto for $560 million

• May 2019: Twistlock for $410 million

• June 2019: PureSec for $47 million

• September 2019: Zingbox for $75 million

• November 2019: Aporeto, Inc. for $150 million

• April 2020: CloudGenix, Inc. for $420 million

• August 2020: Crypsis Group for $265 million

• November 2020: Expanse for $800 million.

• February 2021: BridgeCrew for $156 million

• November 2022: Cider Security for $300 million.

• November 2023: Talon Cyber Security for $625 million

• December 2023: Dig Security for $400 million

The acquisition spree doesn’t rule out Palo Alto as an investment. I need more time to get comfortable with its M&A strategy and integration.

Additionally, as we will see next, Fortinet’s more balanced and diversified business model than Palo Alto's fits my sleep-well philosophy better.

Productive and enduring business model

+Diversified and enduring business model

Fortinet business is truly diversified. Revenue is roughly split into

• 40/60 between hardware and software

• 41/38/21 across America, EMEA and APAC

• 38/27/23/12 across large, mid, small & managed service providers.

• It is not dependent on any industry, with 17% from governments vs Palo Alto's 60% of billings - highly concentrated.

Within the large enterprise, 76% of Fortune 100 depend on Fortinet to stay secure. As these top companies expand, Fortinet expands.

+Growth potential

Fortinet’s expansion might not be as rapid as Crowdstrike's or Cloudflare's, at 30%+. Still, its expansion to SASE (Secure Access Service Edge) promises 20%+ CAGR growth in the next 5-10 years.

At its core, SASE is a network security system for the cloud. In other words, it’s similar to an on-prem that combines networking (internet) and security but is completely cloud-based. Before a user connects to the internet/cloud applications, the traffic request will go through the FortiSASE SSE firewall - see the flowchart below.

What’s great about SASE is that it’s a natural progression from on-prem network security.

Ken Xie, the founder and CEO, said in the recent Q4’23 cc:

Network security - I feel probably around 10% year-over-year in the next maybe 3 to 5 years. SASE and Secure Ops come from a little bit smaller base, which also grow faster [20%]. And we also have a lot of existing customers about this together with us. They probably already are firewall customer or SD-WAN customer. They can easily adopt additional solution, additional product so that we see the other 2 sectors grow faster than the company average and probably will continue to grow faster in the next few quarters.

Q423 - Ken Xie, Founder and CEO

Fortinet’s leadership in network security makes it easier to sell SASE products, so execution risk is low. As per 2023 Gartner’s report, Fortinet’s SASE offering is already highly recognized. Unsurprisingly, you have seen a 28% CAGR growth in Services since 2009.

Even better, SASE broadens Fortinet’s visibility of the digital attack surface, opening the door to applications, data, endpoints, and cloud security in the future. SASE will provide Fortinet with durable growth in the next 5-10 years.

As per Scale and Battery Ventures studies of CISOs, SASE is the #1 trend in security. Organizations can’t grasp SASE quickly, as more employees work from home than pre-pandemic, and workloads are rapidly transitioning to the cloud. In 2022, the SASE market grew by 38%. Meanwhile, cost constraints drive organizations to consolidate multiple technologies with fewer vendors.

In the next five years, Gartner, McKinsey, and Forrester maintained zero trust and SASE (Secure Access Service Edge) as top technological trends for organizations and the cybersecurity industry.

By 2025, Gartner predicts around 80% of enterprises will have implemented a strategy to unify web, cloud services, and private application access using a SASE/SSE architecture. This number is a significant increase from the current 20% in 2021.

Additionally, Gartner estimates that 50% of organizations will have explicit strategies to adopt SASE by 2025, a substantial increase from the adoption rate of less than 5% in 2020. Typically, Gartner's trends span over a decade, but these remarkable trends are expected to happen quickly.

Widening moats

Fortinet’s mission-critical products and enduring business model allow it to build the most important moats. I am comfortable with Fortinet’s longevity.

+Switching cost

Once an organization with multiple branches has invested millions in Fortinet’s routers, switches, and firewalls and grown accustomed to its unified SaaS control plane, I doubt they would want to switch to other vendors. Additionally, the average Fortinet’s contract length is three years, making it less likely for customers to leave.

+Scale

76% of Fortune 100 companies are customers. Its technologies are backed by over 2000+ US and International patents and recognized by over 80+ industry reports, including Gartner, Forrester, and IDC. Fortinet is only behind Palo Alto in terms of revenue; however, Fortinet’s (more) unified control plane of over 30 network security and SecOps applications will be advantageous as consolidation continues.

+Network effect

Fortinet collects threat data centrally through its FortiLabs; as customers and threat surfaces grow, Fortinet collects more data and better its threat detection and response intelligence.

Competitors matter less in the medium-term

Competition is the biggest risk to a business's existence. However, Fortinet's position is favorable.

First, the market is huge, at $120B, and will grow at 15% on average for the next five years. The market is also extremely fragmented, with over 3,500+ companies. Fortinet’s revenue is only 3% of the total market. A rising tide lifts all boats.

Fortinet is already a leader in network security and well-positioned to stay on top. If consolidation happens quickly, its more unified (than Palo Alto) technology and data structure would be a welcoming platform for acquirees.

Finally, the surface growth of cyber security threats is exponential. Multiple approaches and multiple vendors are required to secure an enterprise. Fortinet’s approach from the network perspective will always be one of the most effective and irreplaceable.

That brings me to management.

Aligned management

I enjoy reading through Fortinet’s Management Section. For such a dynamic and fast-growing industry, it’s great to see founders remain CEO and CTO after over 20 years since founding and still deliver above-market performance. This proves they know their domain well and can adapt to market changes.

Ken Xie, the co-founder and CEO, and Michael Xie, the other co-founder and CTO, own 19% of Fortinet. This is more than the total shares owned by all executives, which is 17.54%; that’s because Ken Xie’s and Michael Xie’s ownership includes indirect shares held in trusts and foundations.

They are also paid primarily for performance.

During their tenure since 2009 (founded in 2000), they have delivered consistent and above-market performance. They have been profitable and have had a free cash flow position every year since IPO and only failed the Rule of 40 by just 4 out of 16 years.

Capital allocation

Since 2017, Fortinet has spent $2.5B in R&D and $1.1B in Capex from its $7B+ of Free cash flow, or 35% and 16% of Free cash flow on growth. The remaining free cash flow was spent on purchasing a few bolt-on businesses ($380M) and repurchasing shares ($6.1B) - which reduced 13% of shares outstanding to 768M from 865M shares.

Given Fortinet’s consistent and strong organic growth of 15%+, putting the cash purchase share in is a good use of capital. It has a $1B buyback authorization remaining.

Anti-fragile attributes

As aforementioned, anti-fragile is a concept coined by Nassim Taleb, stating the ability of a business to thrive in adversity. There are several anti-fragile attributes that I look for in a business I want to own:

1. Track record of overcoming recessions

2. Excess of resources to buffer difficult periods

3. Flexible business model that adapts to the dynamic of the market

Fortinet was founded in 2000. It thrived during the 2020 pandemic and the last economic recessions in 2001 and 2008 without burning cash in any given year. It looks like we are still in an uncertain economic and political time. However, Fortinet is still thriving with nearly $2B in free cash flow, a 33%+ free cash flow margin, and nearly $1.4B of excess cash, so it has plenty of buffer.

Despite selling hardware network appliances and the high cost of building data centers and PoP (90 points of presence), it is incredibly capital-light. It also demonstrates resilience and agility in meeting market changes, such as transitioning to cloud-based services in recent years. Its data center and PoP real estate are owned, so it’s less dependent on hyperscalers (Google, Amazon, Microsoft).

Fortinet ticks the anti-fragile box.

Risks

Network security can be cyclical as it involves upgrading the appliances and infrastructure of the entire organization.

Network security is also a slower growth business; Fortinet must execute in its SASE and SecOps segments to continue to deserve the current multiple above 30x FCF.

Competition for SASE and SecOps is strong, especially from Palo Alto, Cloudflare, Zscaler, and OS vendors in Microsoft. CrowdStrike is also an emerging leader in cloud security and can attach SASE at some point in the future.

As the industry consolidates, Fortinet must consider a more proactive M&A strategy. While the unified technology and platform will help convince acquirees, many buyers compete in this space.

Ken and Michael Xie have been delivering high performance since 2000. Thus, any major change in their role could impact Fortinet’s future.

Valuation

This is the most subjective part of the analysis. So, take it with a pinch of salt.

I mean, what is the intrinsic value of a leader with an integrated hardware and software offering in a fast-growing market and a consistent financial performance like this? Do you apply a 30x FCF multiple, 20x?

Below are the valuation multiples of other key players for some context. Fortinet, at 30x EV/FCF, is cheaper than Palo Alto, CrowdStrike, Cloudflare, and Microsoft. Trend Micro, the Japanese legacy player, is the cheapest at 23x FCF. However, as you can see, these numbers mean very little, depending on how you value the quality of the product and business model.

I value Fortinet’s sleep-well ingredients a lot.

So, using a DCF method, I attempt to find a rough value of the business.

I value Fortinet at $88/share in the base case and $53/share in the bear case, where the business grows just 6%. In both cases, I apply conservative assumptions; most notably, I don’t account for inorganic growth from future M&As and reasonable share buybacks.

The current $67/share price implies a 9% growth for the next 13 years.

Now, let’s look at the two scenarios:

1. Base case: Fortinet will grow 10% in the next 13 years with the same FCF margin and 2% yearly buyback.

2. Bear case: Fortinet will grow 6% in the next 13 years and buy back just 1% of shares yearly.

Here are my assumptions for Fortinet until FY2037:

• $5.76B revenue in FY2024 (as per guidance), 10-14% growth until FY2028, then 9% growth until FY2037.

• 77% gross margin that remains the same until FY2037.

• $1.7B free cash flow increases by 11% CAGR over the next 13 years.

• SBC remains at 7% of revenue by 2034.

• 9% WACC

  I have added some conservatism to the workings:

• Management commits to buying back 2% of shares yearly, which is lower than the last five years (3%).

• The working takes zero account of inorganic growth from M&As.

• The working takes no account of the margin expansion as the Service segment grows.

With those assumptions, at the base case, we get a fair value of $88/share, or a 30% upside from today’s price of $67/share.

With $5B+ of free cash flow in 2037, let’s apply two exit multiples to see what the company is worth using this method.

Let’s give Fortinet two exit multiples of:

• 17x FCF at the trough gives a $85B market cap in 2037 or a 4% CAGR

• 30x FCF in normal time gives a $156B market cap in 2037 or a 9% CAGR

Now, what if Fortinet underdelivers?

The fair value in this pessimistic outlook is $53/share, or a 20% downside from today’s price of $67/share.

Free cash flow in FY2037 would be $3B, so let’s apply the 17x FCF and 30x FCF multiple at exit.

• 19x FCF at the trough gives a $51B market cap in 2037 or a 0% CAGR

• 30x FCF in normal time gives a $90B market cap in 2037 or a 4.6% CAGR

Take these numbers with a pinch of salt. They are only estimates, but I feel I left some margin of safety when not considering the potential growth from M&As and the full impact of buybacks.

Sleep Well Scorecard

The Sleep Well Scorecard is my last layer of defense (from my own emotionally driven decisions) and helps me quantify the quality of market leaders.

Fortinet - the 12th pick, scores 13 out of 20 points. To see the reasoning behind each criterion - read my sleep well framework writeup here.

+1: Product relevance

Fortinet scores full points for product relevance. Networking appliances and network security are the most essential and effective ways of protecting an enterprise IT system from external threats. Its expansion to securing the cloud through SASE and SecOps products will extend its product shelf life. Nearly 76 of 100 Fortune companies are customers, a testament that the Fortinet product is highly desired. The average contract is three years and can be eight figures. There is little risk of Fortinet business going obsolete here, limiting the risk of permanent capital loss. Fortinet will likely be around when my two daughters take over the portfolio.

+3: Business model

Fortinet’s business model is resilient, highly predictable, and requires little investment. It generates recurring revenue through selling hardware products and SaaS revenue from various security modules. It has a clear path to grow organically through further innovation in its hardware, OS, and unified security platform. There are no concentration risks for customers.

+5: Financial strength

Fortinet’s financial metrics have been attractive since its IPO in 2009, with consistent and growing margins and free cash flow per share. It generates a 25%+ non-GAAP operating margin and a 33% free cash flow margin. Since then, its FCF per share has grown organically by 38% CAGR. It also has a $1.4B cash that can buffer from a recession and boost growth or buyback when opportunities arise.

+2: Management

Ken Xie and Michael Xie, the CEO and CTO, are the key men who have spearheaded Fortinet's rise to the position of leader in network security. After nearly two decades, Fortinet's purpose-built chip and operating system still give customers a performance and cost advantage. Their track record and nearly 20% ownership align with Fortinet’s shareholders’ interests.

All executives are paid with performance pay, mainly in stock options and restricted stock units (RSUs) with long-term vesting periods. Their annual equity award mix consisted of 90% RSUs and stock options.

We will keep tracking how the management delivers on its FY2024 targets and beyond. I am comfortable that their incentives are aligned, and their attitude and framework towards creating value for the business and shareholders is positive.

+1: Anti-fragile

Since 2009, Fortinet has generated free cash flow every single year. The capex light profile, $1.4B cash buffer, and resilient business model should serve Fortinet well in adversities as it thrives in political or security unrest.

-2: Competition is strong

Fortinet’s offering is essential. Its core in network security is unlikely to be displaced. However, competition in other adjacent markets, such as endpoints, cloud workload, or identity, will be strong.

+4: Moats & barriers to entry

Fortinet has points for switching costs, scale, and network effects moats, and they are widening as more of the customer's employees are trained to use Fortinet’s platform. Fortinet also benefits from high barriers to entry thanks to the complex combination of hardware and software products and in a fairly highly regulated industry.

-2: Moderate to strong risks

Expanding to adjacent markets outside Fortinet’s circle of competence carries moderate risks. M&A and integration are also not its forte, but they will be areas where it needs to be proactive as the industry consolidates.

2: Reasonable valuation

Fortinet’s valuation shows it is reasonably attractively priced in the base case (30% upside) and has a toleratable downside in the bear case (-20%). Neither were the upsides of future M&As and buybacks considered.

In summary, Fortinet scores 13/20 points and qualifies as an investment at the current rate of $67/share or a $50B market cap.

I’m comfortable with Fortinet’s product platform offering, high switching cost, and opportunity to reinvest in organic growth in the next decades; further upside is possible with good use of the $1.4B cash in M&A and buybacks.

What to track

I will be tracking market share and operation efficiencies vs. competitors. That means

• Number of top Fortune customers (currently, the top 76 out of 100 are customers)

• Growth of SASE and SecOps

• M&A and buybacks

I’ll provide a detailed tracking table in my follow-up write-up.

Conclusion

Fortinet is well-positioned to remain a leader in network security with durable growth opportunities, a best-of-class and sticky solution, and a largely recession-resistant customer base. With nearly $1.4 billion in cash, any accreditive acquisition or buyback announcement can add more value to the stock/business.

I am a buyer of Fortinet at the current range of $67/share. I will place an order and notify you once they go through in the coming days/weeks.

Your support 🥰 in spreading the word allows me to do what I do best—sifting through the haystack for market leaders, saving you time from turning over your portfolio.

Share

Share Sleep Well Investments

Give a gift subscription

Check out my most recent BUY and all other sleep-well investments writeups here.

Tickers mentioned: CRWD 0.00%↑ MSFT 0.00%↑ S 0.00%↑ OKTA 0.00%↑ PANW 0.00%↑ FTNT 0.00%↑ ZS 0.00%↑ NET 0.00%↑ CSCO 0.00%↑ ORCL 0.00%↑